Hello, the empty section yes would need to be pre-populated. Thanks for adding visibility to this as I noticed OpenBSD has p0f as well as FreeBSD the FreeBSD PfSense is being used as an example. Yes this database is starting to show it’s age.
> On Jul 4, 2023, at 1:22 AM, Stuart Henderson <s...@spacehopper.org> wrote: > > On 2023/07/04 09:48, Solène Rapenne wrote: >> On Tue, 2023-07-04 at 03:39 +0000, Lee, Jonathan D wrote: >>> [cid:cd2efd41-42cb-4d83-9173-521bbb8f4539@namprd04.prod.outlook.com] >>> >>> Hello fellow software developers, >>> >>> I have noticed that p0f database files are not being updated. Many >>> new operating systems fingerprints are missing within the pf.os >>> database file that your software uses. I have added a section in >>> pf.os for Docker containers see the below diff checker output. Yes >>> this is unorthadox for the diff file again it is only a blank area >>> for new OS entries and it helps bring to lite that containers can >>> also be fingerprinted. The docx that is attached helps to showcase >>> the Kali penetration software running inside of a docker container. >>> The container was spun up and spun down and also deleted. I have >>> fingerprinted this docker container with the program p0f. I noticed >>> that p0f is used with pfSense and is used with access control lists >>> for source address OS see attached photos. Again for this to function >>> correctly it needs the database updated and new catagories like many >>> of the mainstream containers. We can fingerprint them like other OS >>> systems. >>> >> >> It seems you are using PFSense, which is based on FreeBSD. >> You are on the OpenBSD mailing list. >> >> Even if we update our fingerprint database to add docker like you >> suggest, this won't reflect in the product you are using. > > If somebody is able to send working TCP SYN signatures for the old > version of p0f that's used in PF (note that the separate p0f program > has changed quite a lot in the meantime and uses a different database > format), that don't cause problems with false detection, they could be > added. But there's no value in adding an empty placeholder section. > I'm a bit unsure whether this is going to be possible though (in > particular that they can be reliably identified separate to the > container's base OS). >
